CVE-2023-31716
Published: 22 September 2023
Summary
CVE-2023-31716 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Frangoteam Fuxa. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
FUXA versions 1.1.12 and earlier are affected by a local file inclusion vulnerability that can be triggered via the file parameter, for example by supplying fuxa.log. The issue is tracked as CVE-2023-31716 and carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction, with high impact limited to confidentiality.
An unauthenticated remote attacker can exploit the flaw to read arbitrary local files on the server, directly exposing sensitive data such as logs or configuration contents. The weakness maps to CWE-98, indicating improper control of filenames used in include or require operations.
Public references consist of a proof-of-concept repository and the upstream FUXA project page; neither reference supplies patch details or mitigation steps. The EPSS score stands at 0.3711 with an identical recorded peak, indicating no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2413
Vulnerability details
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.